[Oisf-users] Performance Issues

Yasha Zislin coolyasha at hotmail.com
Mon Oct 27 17:26:50 UTC 2014 

Rmkml,
Thanks for the idea. I have just checked alerts before and after drop in count. I see some alerts that occur before and after. It's just the number of alerts gets reduced dramatically.I mean from like 300 to 40. It feels that if I let it run longer, it would drop even lower.
It also looks like drop in alerts starts to drastically decrease after about 5 or so hours of Suricata running after service restart.
The only idea that I have is that Suricata reduces number of false positives since HTTP session table gets build out.
Thank you.

> Date: Mon, 27 Oct 2014 17:58:21 +0100
> From: rmkml at yahoo.fr
> To: coolyasha at hotmail.com
> CC: oisf-users at lists.openinfosecfoundation.org; rmkml at yahoo.fr
> Subject: Re: [Oisf-users] Performance Issues
> 
> Hi Yasha,
> 
> Sorry I didn't help,
> 
> but maybe you could enable wget ET sigs (2007961) and check if it's work every hour for example with simple 'wget --user-agent="wget 3.0" http://google.com'....
> (on my example, don't forget check $HOME_NET... on this sig)
> 
> Do you have same pb with latest v2.0.4 ?
> 
> Regards
> @Rmkml
> 
> 
> On Mon, 27 Oct 2014, Yasha Zislin wrote:
> 
> > 
> > [clear.gif] [clear.gif] [clear.gif] [clear.gif]
> > 
> > PERFORMANCE ISSUE
> > 
> > Hi,
> > 
> > I am having a weird performance issue with Suricata.
> > I have Suricata 2.0.1 running on a beefy server (132gb of RAM, 40 Logical CPUs). It is monitoring two Span ports with mostly HTTP(S) traffic.
> > Each interface approximately has 10 million packets per second throughput. I am using PF_RING to reduce packet loss.
> > Suricata  has been running great. I've tweaked all of the buffers to reduce packet loss to 0%.
> > Recently, I've noticed that number of alerts is way down from normal even with no packet loss. So I've tried restarting Suricata, and alerts went back to normal baseline.
> > I need to find out what is going on. Not sure where to look.
> > 
> > Couple of things about my setup:
> > - When Suricata starts, it is using 60 gb of RAM. I've noticed when alert count goes down, memory usage is at 105gb.
> > - After Suricata service restart, it runs for about a day until alert count decreases.
> > - All CPUs are kicking and at no stage does any single CPU gets to 100%.
> > - I have 20 detection threads per interface.
> > - I have 26k ruleset. I know it's big but since I got RAM, I've figured I should be ok.
> > - Here is my stream section of the config:
> > stream:
> >   memcap: 60gb
> >   checksum-validation: no      # reject wrong csums
> >   inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically
> >   prealloc-sessions: 2000000
> >   midstream: false
> >   asyn-oneside: false
> >   reassembly:
> >     memcap: 90gb
> >     depth: 4mb                  # reassemble 1mb into a stream
> >     toserver-chunk-size: 2560
> >     toclient-chunk-size: 2560
> >     randomize-chunk-size: yes
> >     #randomize-chunk-range: 10
> >     #raw: yes
> >     chunk-prealloc: 3000000
> >     segments:
> >       - size: 4
> >         prealloc: 15000
> >       - size: 16
> >         prealloc: 200000
> >       - size: 112
> >         prealloc: 400000
> >       - size: 248
> >         prealloc: 300000
> >       - size: 512
> >         prealloc: 200000
> >       - size: 768
> >         prealloc: 100000
> >       - size: 1448
> >         prealloc: 1000000
> >       - size: 65535
> >         prealloc: 400000
> > 
> > Thank you.
> > 
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141027/ef83dd17/attachment-0002.html>

More information about the Oisf-users mailing list